AWS Boosts S3 Security with Access Improvements and Encryption
Recent high-profile data breaches due to misconfigured accessibility and security settings have brought the Amazon S3 storage service under scrutiny.
Amazon Web Services (AWS), perhaps in an effort to correct its course, announced this week a few new features that will help improve S3 security.
First, administrators can now use the S3 console to identify storage buckets that are open for public access. The new Bucket Permissions Check tool also identifies the source of public access, regardless of whether it’s via a change to the bucket access control lists (ACL) and/or the bucket policy. In a Monday blog post, Jeff Barr, AWS evangelist, stated that the feature allows users to “see the effect of changes to their bucket policies and ACLs as soon [they] make them.”
These are the new public-access alerts for the S3 console.
[Click on the image to see a larger version.] The Amazon S3 console has a Bucket Permissions Check function that makes it easy for you to identify buckets that are open for public access. (Source: AWS/Jeff Barr). Second, S3 will automatically apply server-side encryption for new objects that don’t have it. Administrators have the option to choose which type of encryption S3 will apply automatically, S3 managed keys or AWS Key Management Service keys.
Barr stated that if an unencrypted object was presented to S3 and the configuration indicates encryption must be used the object will be encrypted using the encryption option specified for the bucket.
Administrators can now choose to receive regular reports from the S3 Inventory tool on the encryption levels of objects in their buckets. AWS also noted that this new feature in the S3 Inventory tool can be used by organizations for compliance auditing.
These two feature updates relate to Cross-Region Replication (CRR), which allows users to replicate objects to and fro buckets located in different AWS areas.
Monday’s announcement by AWS revealed that CRR can now reproduce objects protected with KMS keys. This was previously a problem due to KMS keys being region-specific. Barr explained that administrators now have the option to choose the destination key for cross-region replication. Encrypted objects are replicated to the destination via an SSL connection during the replication process. The destination data key is encrypted using the KMS masterkey [the administrator] specified during the replication configuration. The object is kept in its encrypted original form; only the envelope containing keys is changed.”
Finally, the CRR is now able to change the owner of a duplicated object once it lands in the destination container. It can also revoke the previous bucket owner’s ownership. Barr explained that this change allows you to keep separate and distinct stacks for the original and replica objects.
Each feature of the S3 is available immediately in all AWS regions except Beijing, at no additional cost.